Friday, July 31, 2009

Dev Tools for Security Testing

I have been realizing that even the development tools can be good for initial security testing !!Let me explain what I mean by this.

For instance, I have been working on a highly sensitive application (in defense sector) and this is a supposedly a Thick Client application. Developed using Windows Forms and the latest technologies of Messaging, this application can be tested for security by the development tool like Visual Studio features itself.

Most of the security testing include Data Validation checks. Input Validation, Output Validation, SQL Injection, etc are few checks related to data validation. These checks can be done using the Visual Studio IDE itself where the values for the application can be changed and checked if the application passes the validation check.

Simple Steps in a Typical Scenario:1. My dev teams says they have performed the validation both at the client-side and server-side code to ensure application security. However, this needs to be checked.2. So, if I pass valid values at the application client side, debug the application at server-side to change the values passed to check if the server-side validation actually fires the validation, my job is done.3. Why would I choose such a method? because typically other than application sending request over HTTP, it is "really" tough to intercept the request sent from the client machine to the server and modify the request parameters for security mis-use cases.

IMO, close to 60% security checks could be easily done by using the dev tools debug features itself and it proves really useful if the application sends requests in non-HTTP protocol.

About Me

He is involved in Application Security Consulting and establishing App Security across SDLC. He also conducts security workshops for the developer community. Besides interest in App Security, he likes Performance Testing and tuning of web applications.